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Abstract 

We introduce a generalized Anshel-Anshel-Goldfeld (AAG) key estab- 
lishment protocol (KEP) for magmas. This leads to the foundation of 
non-associative public- key cryptography (PKC), generalizing the concept 
of non-commutative PKC. We show that left selfdistributive systems ap- 
pear in a natural special case of a generalized AAG-KEP for magmas, 
and we propose, among others instances, concrete realizations using /- 
conjugacy in groups and shifted conjugacy in braid groups. We discuss 
the advantages of our schemes compared with the classical AAG-KEP 
based on conjugacy in braid groups. 



1 Introduction 

Currently public key cryptography still relies mainly on a few number-theoretic 
problems, namely integer factorization [RSA78 and the computation of discrete 
logarithms in Z* and over elliptic curves. The systems based on these problems 
remain unbroken. Nevertheless, after the advent of quantum computers, systems 
like RSA |RSA78| and its variants (e.g. [Ra79j ), Diffie-Hellman (DH) |DH76| . 
ElGamal [El85j and ECC [Mi85l [Ko87] will be broken easily [Sh97l [P203] . 
Under the label Post Quantum Cryptography, there have been several efforts to 
develop new cryptographic primitives which may also serve for the post quan- 
tum computer era. Here we focus on key establishment protocols (KEP's) as 
cryptographic primitives, because they are the most important and the hardest 
to construct. Note that, using hash functions, it is easy to build public key 
encryption schemes from KEP's. 

One approach became later known as non- commutative cryptography. Recall 
that the involved algebraic structures in the number-theoretic systems are com- 
mutative groups and rings. In non-commutative cryptography these are replaced 
by non-commutative groups and rings, and we consider computational problems 
therein. One may say that, roughly, the discrete logarithm problem is replaced 
by the conjugacy problem and its variants. After some precursors, in partic- 
ular |WM85| . non-commutative cryptography was mainly established in a few 
seminal papers around the turn of the millenium AAG99, |KL+00[|CK+0l1 . Of 
particular importance is the ingenious Anshel-Anshel-Goldfeld (AAG) Commu- 
tator KEP which only exists in the non-commutative setting, while the systems 
in |KL+001|CK+01| may be considered as staightforward non-commutative ana- 
logues of the classical DH-KEP. 

Since they admit efficiently computable normal forms and a supposedly hard 
conjugacy problem, braid groups were explicitly suggested as platform groups 
for these systems. Nevertheless, explicit specifications of these systems in braid 
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groups as well as most other non-commutative cryptosystems have been bro- 
ken over the last decade. This led to some understandable decline of interest 
in non-commutative cryptography inside the main cryptographic community. A 
revival of non-commutative cryptography may be achieved by means of research 
in one of the following two directions. 

The hrst approach is to stick with the suggested protocols and search for better 
platform groups. One may even keep braid groups as platforms and search for 
families of hard instances of the conjugacy problem that can be efficiently gen- 
erated. Note that the main reason why braid-based cryptosystems have been 
broken is the fact that "randomly" generated keys turned out to be a very bad 
choice. This situation is quite typical for public- key cryptography. Consider, 
for example, the familiar RSA scheme where the keys have to be chosen with 
care. 

Another approach is to construct new or generalized non-commutative cryp- 
tosystems which are based on other or supposedly harder computational prob- 
lems. In this and some subsequent papers we pursue the latter approach. In par- 
ticular, we broaden the scope of non-commutative cryptography as we go beyond 
non-commutative, associative binary oparations - we utilize non-associative bi- 
nary operations, i.e. magmas. Thus, we hope to establish the field of non- 
associative public-key cryptography. In particular, we generalize the AAG-KEP 
for monoids to a general AAG-KEP for magmas. 

Outline. The paper is structured as follows. In section [5] we emphasize 
the important and integrating role of the AAG protocol in non-commutative 
and commutative cryptography. In particular, we introduce a generalized no- 
tion of AAG-KEP for monoids ( section |2.1[) . and we show that not only the 
AAG commutator KEP for groups |AAG99| (section l2~2|) . but also the Ko-Lee 
et al. protocol, the group Diffie-Hellman protocol (section |2.3[) . and even the 
classical DH-KEP (section I2.5[) are special instances of that generalized AAG 
scheme. Furthermore, we also subsume the Sakalauskas, Tvarijonas and Rauly- 
naitis KEP(STR-KEP), a natural hybrid of the classical DH-KEP and the Ko- 
Lee-KEP, as a further instance (section l2.6p . 

The main innovative part of this paper is contained in the sections [3] and 2J In 
particular, in section |3~T1 we extend the generalized AAG-KEP from monoids to 
magmas. Here finitely generated submonoids are replaced by f.g. submagmas, 
and Alice and Bob know their secret key submagma elements as products of the 
generators, including planar rooted binary trees describing the bracket structure 
of such products. First examples of instances of the generalized AAG-KEP for 
magmas are a non-associative KEP based on simultaneous double coset problem 
and symmetric decomposition problem (see sections 13.21 and 13 . 3|) . 
The most interesting and natural instances of the generalized AAG-KEP for 
magmas come from left-selfdistributive (LD) systems and their generalizations 
(section [4]). In section 14.11 we introduce LD- and multi-LD-systems with f- 
conjugacy in groups and shifted conjugacy in braid groups as key examples for 
LD-operations. The nonassociative AAG /-commutator KEP (section [4. 2[) and 
the AAG shifted commutator KEP (section |4.3[) are discussed as major exam- 
ples. We note that for these instances we may even drop the simultaneity of 
the underlying base problems (/- and shifted conjugacy problems), because here 
submagmas generated by one element still have a rich and complicated structure 
and a hard membership problem. This implies that these systems are the first 
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KEP's based on the shifted and /-conjugacy problem. 

In section [3] we discuss generalizations, like AAG-schemes over non-associative 
magmas, open problems and further work. 

Summary. The main purpose of this paper is popularize the notion of non- 
associative cryptography and to provide a general framework for non-associative 
and non-commutative KEP's by utilizing the unifying approach that stems 
from the general AAG-KEP for magmas. We argue for the superiority of 
the non-associative schemes introduced in section 2] compared to classical non- 
commutative AAG commutator KEP. 

Anyway, in our opinion the field of non-commutative cryptography lacked over 
the last years supply of new innovative cryptosy stems. We hope that non- 
associative cryptography will contribute to revived interest in non-commutative 
cryptography. 

Outlook. Nevertheless, this is not the end, rather the beginning of the story 
of non-associative cryptography. 

In the forthcoming paper [K aT12| , by introducing a small asymmetry in the non- 
associative AAG protocol for magmas, we succeed to construct non-associative 
KEP's for all LD- and multi-LD-systems (in general: sets with distributive op- 
erations). We consider the systems and instances given in |KaT12| as much 
more practical and interesting than the one given in this paper. In particular, 
since these systems work for all LD- and multi-LD-systems, they deploy two 
further advantages. First, we may consider encryption functions using iterated 
multiplication (in the magma) from the left. Therefore, in order to obtain the 
secret key an attacker has to solve an iterated /- or shifted conjugacy problem. 
Second, for a given (partial) multi-LD-system it turns out that even the used 
operations can be hidden, i.e., they are part of the secret key. 

Historical remarks. Non-associative structures, in particular quasigroups 
seem to have a long history in cryptography. For an overview on cryptographic 
applications of quasigroups and Latin squares, see |Shc09| IGS101 IShcl2| . In 
particular, we mention the work of Denes and Keedwell [DK741 IDK9H 1DK92, 
DK02]. Nevertheless, except for authentication schemes and zero- knowledge 
protocols, most of these applications are in classical (i.e. symmetric key) cryp- 
tography. The earliest quasigroup-based public-key cryptosystem that we are 
aware of is due to Koscielny and Mullen [KM99J. 

Non-associative cryptography that goes beyond quasigroups, in particular, the 
generalized AAG-KEP for magmas were introduced by the author in his PhD 
thesis in 2007 |Ka07| . During a postdoctoral stay at the Bar-Ilan University, 
hosted by M. Teicher, we had the opportunity to rehne and improve our non- 
associative systems. In particular, we developed the non-associative KEP's for 
all distributive systems [KaT12]. Over the last years we also had the opportunity 
to promote non-associative cryptography at several conferences, in particular in 
Dortmund 2007, Hoboken 2009, Montreal 2010, Caen 2011. 
Other non-associative cryptosystems that came up during the last few years 
include |GMK08I lMZl2] . 

Acknowledgements. This work is an extension of a part of my PhD thesis. 
Therefore, I wish to thank my supervisor L. Gerritzen for his kind support, en- 
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couragement, constant interest and steadfast patience. In particular, his great 
interest in non-associatve algebraic structures as well as public key cryptography 
formed the scientific environment that made me bring these subjects together. 
I am greatly indebted to P. Dehornoy who introduced an authentication scheme 
based on his notion of shifted conjugacy [De06] . This in the first place inspired 
me to come up with a KEP based on shifted conjugacy and in the course of this 
work to invent non-associative cryptography. 

1 thank M. Teicher who was my host during my postdoctoral studies at Bar-Ilan 
University, Israel, in 2007-2011. For that time period I acknowledge financial 
support by The Oswald Veblen Fund and by the Minerva Foundation of Ger- 
many. 

This paper was written up during my stay at the MPIM Bonn, Jan-March 2012, 
and finished during my postdoctoral stay at UQ, Brisbane. For the latter I ac- 
knowledge support by the Australian Research Council (project DP110101104). 
For valuable and stimulating discussions I thank L. Gerritzen, R. Holtkamp 
and R. Avanzi at Ruhr-University Bochum, M. Kreuzer and G. Rosenberger in 
Dortmund, B. Tsaban, D. Goldfeld, B. Kunyavskij and R. Cohen at BIU, A. 
Myasnikov, A. Ushakov and G. Zapata at CRM, D. Grigoriev and D. Tieudjo 
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ther discussions during conferences I thank J. Gonzalez-Meneses, P. Bellingeri, 
V. Gebhardt, E. and S.J. Lee. Particularly, I thank B. Tsaban for continuing 
discussions over the last years. 

2 Anshel-Anshel- Goldfeld key establishment 

2.1 A AG key establishment protocol for monoids 

Here we use and describe a slightly generalized version of the A AG key estab- 
lishment protocol for monoids [AAG99J . Though it is easy to introduce further 
generalisations, the following notion will suffice for our purposes. 
For this general A AG key establishment protocol for monoids we need sets S±,S2, 
two feasible monoids (M, -m), (N, -n), and functions 

Pi : Si X M — > N, 7l : Si x N — > N, TTi : Si — > M (i = 1, 2) 

which satisfy the following conditions: 

(1) For i = 1,2, pi(x, •) : M — > N is for all x G Si a monoid homomorphism, 

i.e. 

\fx G Si,yi,y 2 G M : Pi{x,yi - M y 2 ) = Pi(x,yi) -n /3i(x,y 2 ). 

(2) For i = 1,2, it is, in general, not feasible to determine a secret x G Si from 

the knowledge of yi, y 2 , . ■ ■ , yk & M and ^(x, yi), ...,/3i(x, y k ) e N. 

(3) For all x e Si and y e S 2 : Ji(x, (3 2 (y, tti(x))) = 72(2/, Pi(x, 7r 2 (y))). 

Furthermore Alice and Bob select elements si, . . . , s m , ti, . . . , t n G M. These 
elements are public, and they define submonoids Sa = (si, ■ ■ . , s m ) and Sb = 
{ti, . . . ,t n ) of M. Now Alice and Bob have to perform the following protocol 
steps: 
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1. Alice generates an element a £ Si such that 711(a) 6 Sa, and Bob chooses 
&b£ S 2 s.t. ir 2 (b) G S B - 

2. Alice computes the elements /3i(a, t±), ... , /?i(a, i ra ) and publicly announces 
this list. This list is her public key. Analogously Bob computes the ele- 
ments (82(0, si), . . . , Pzip, s m ) and publishes this list. 

3. Knowing that 7Ti(a) = T\ ■ ■ ■ with r,; £ {si,...,s m } for some k G N 
and i — l,...,fc, Alice computes from Bob's public key f3 2 (b, 711(a)) = 

P 2 (b,n---r k ) ( = ) ^ 2 (6,ri)--- ( S 2 (6,r fe ). 

And Bob, knowing 7^(0) = Ui---Uk> with itj G {ti,...,t„} for some 
k' G N and j = 1, . . . ,k' , computes from Alice's public key /3i (a, n 2 (b)) = 

0i(a,ui ■ ■ -u k ') = /9i(a,n) • •• J 8i(a,«fc'). 

4. Alice computes iC^ = 71 (a, /3 2 (b, 7Ti(a))), and symmetrically Bob com- 
putes K B = 72 (b,Pi (a, ir 2 (&))). 

Because of (3), the equivalence Ka — Kb holds in the monoid N. Now 
any key extractor <fi defined on the monoid N provides a shared key 4>{Ka)- 
Here a key extractor is any effectively computable function from a monoid to 
any keyspac43 (compare with |AAG03| ). A key extractor may be given by a 
normal form algorithm in the monoid, but in general the key extractor map 
needs not be injective. Anyway, for brevity we will refer in the sequel to the 
monoid element K :— Ka G N as the shared key. 

Alice's secret key is the pair (a, I) £ Si X {1, ... , m} k where / denotes the index 
vector (/]_,..., Ik) such that r.; = si i for i = 1, . . . , k, i.e., / determines a word 
over {si, . . . , s rn } representing 7i"i(a) G Sa- Analogously Bob's secret key is a 
pair (6, J) £ S 2 x { 1 , . . . , n} k ' 

The AAG key agreement scheme is formulated in a too general manner to be 
applied. For practical purposes we have to specify the sets S\, S 2 , the monoids 
M, N and the functions /?i,7», ~ki for i = 1,2. 

Setting S\ = S 2 = M, Pi — /3 2 and tti = 7r2 = idjvfj we recover the original 
AAG key establishment protocol for monoids |AAG99| as a special case of this 
generalized notion. 

2.2 AAG commutator KEP for groups 

The AAG commutator KEP for groups [AAG99J is determined by the following 
specifications: Let Si — S 2 = M = N = G be a group, and Sa and Sb are 
assumed to be subgroups of gH. We have 7Ti = 7T2 = idc and (3i — (3 2 =: (3. 
The functions (8,71,72 ■ G 2 — » G are defined by 

(3(x,y) = x~ 1 yx, 71 (x, y) = x~~ 1 y, 72 (x, y) = y^x. 

Note that the shared key is the commutator 

K A = 7i(a,/3 2 (6, 7ri(o))) = 71 (a, b^ab) = a~ 1 (b~ 1 ab) = [a, b] 
= (a^ba)-^ = 72 (6, a-Ha) =72(0, Pi (a, tt 2 (6))) =K b . 

1 A standard key space is the semigroup of bitstrings {0, 1}*. 

2 Now Ti and uj are elements from {s^ 1 , . . . , Sm 1 } and {t^ 1 , . . . , t^ 1 }, respectively. 
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If the group elements are given by representative words (over some alphabet of 
generators) as usual in combinatorial group theory, then multiplication is defined 
by simple concatenation of words. Therefore Alice and Bob have to publish the 
words representing the elements j3(a,U) = a~ 1 tia and f3(b,Sj) = b~ 1 Sjb in a 
disguised form. Therefore the question, whether one can efficiently disguise 
elements by using defining relations [SZ06], is very important for any platform 
group. One way is to use efficiently computable normal forms. 
Such efficiently computable normal forms exist in many groups, e.g., in braid 
groups. Furthermore, the conjugator search, i.e. determining x from /3(x, y) = 
x~ 1 yx, was assumed to be hard in braid groups. Therefore Anshel, Anshel and 
Goldfeld suggested braid groups as platform groups for the AAG commutator 
KEP [AAG99] , 

2.3 Group Diffie-Hellman key establishment 

In 2000 Ko, Lee, Cheo, Han, Kang and Park introduced a new key agreement 
scheme based on braid groups | KL+001 . Here we describe a generalized version 
of this KEP ICK+011 for a general platform group G. Since this KEP is a 
non-abelian generalization of the classical Diffie-Hellman (DH) key agreement 
in the abelian group F* |DH76| . we call it the group Diffie-Hellman (DH) key 
establishment protocol. Let (A\,Bi) and (^2,^2) be two pairs of public, com- 
muting subgroups of a given group G, i.e., we have [Ai,Bi] = 1 for i = 1,2. 
Furthermore, let 1 be a "generic" element in G. Alice and Bob have to perform 
the following protocol steps. 

1. Alice generates her secret key (01,02) G A\ x 4 2 - And Bob selects his 
private key (61, 62) £ £>i x B 2 . 

2. Alice computes va = a\xa 2 and sends it to Bob. And Bob computes 
Vb = b\xb 2 and submits it to Alice. 

3. Alice receives ys and computes Ka '■— aiyBa 2 . And Bob receives yA and 
computes the shared key 

K B ■= = 61(01x02)62 = 01(61x62)02 = 012/302 = K. 

For ai = a^ 1 and 61 = b^ 1 we obtain the original Ko-Lee et al. protocol 
|KL+00| . In |AAG03j it is shown that the Ko-Lee et al. protocol may be seen 
also as an instance of the Anshel- Anshel- Goldfeld KEP for monoids. The follow- 
ing proposition is a straightforward generalization of that claim from |AAG03| 
using the same proof idea_j. 

Proposition 2.1. The group Diffie-Hellman key establishment protocol is an 
instance of the general Anshel- Anshel- Goldfeld KEP for monoids. 

PROOF. Here we set Si — A 1 x A 2 . S 2 = Bi x B 2 , M — G and N — {gixg 2 | 
(91^92) G G 2 }. On N we define the following "forgetful" binary opperation: 

1-nu = u-n^ — u (Vx G N) and u -n v = u (Vw, v £ N, u ^ 1, v ^ 1). 

3 It is also a corrected reformulation of Proposition 5.1 in [Ka07 . 
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This turns N into a monoid. We define the functions /3i : (A\ x A2) x G — > A 
and /3 2 : {B x x B 2 ) x G ^ N by 

|9l((«l,1i2),V) = /3 2 ((wi,o 2 ),v) = MlXM 2 . 

Then condition (1) is satisfied obviously. Indeed, given the forgetful operation 
on N, any constant function /3{u) : G ^ N provides a monoid homomor- 
phism. Further, condition (2) holds, because it is assumed to be hard for the 
group G to determine a = (01,02) G A\ x A2 from /3((<zi, a 2 ), 6) = 0,1x0,2- 
The computational problem is a search version of the Double Coset Problem or 
Decomposition Problem (DCP) - see also section 12.41 We define the functions 
71 : (Ai x A 2 ) x N -4 TV and 72 : (B x x B 2 ) x N N by 

7i((ui,w 2 ),u) = 7 2 ((ui,u 2 ),w) = uiwu 2 . 

Then (3) is satisfied, because we have for all a = (01,02) £^1X^2,^ = 
(61, 6 2 ) e Bxx B 2 (recall [A^Bi] = 1 for % = 1, 2): 

7i(a,/3 2 (6, 7ri(a))) = 71 ((oi, a 2 ), 61^62) = 01(61^62)02 = 

6i(aixa 2 )6 2 = 72 ((61, 62), aixa 2 ) = 72(6, /3i(a, 7r 2 (6))). 

This proves that the conditions (l)-(3) are fulfilled. It remains to show that 
the protocol steps 1.-3. of the DH-KEP are specializations of the protocol steps 
1.-4. of the general AAG-KEP. Set S A = S B = (x) and define, for i = 1,2, 
TTi '■ Si — > M by u <— > x, i.e., 7Ti,7r 2 are constant functions. 

1. Alice generates an element a = (01, a 2 ) G Si = A\ x A2 such that tti(o) = 
x G (x) — Sa, and Bob chooses a b = (61,62) G S2 = B\ x £> 2 s.t. 
7T 2 (6) = x G (x) = Sb- 

2. Alice computes the element /3i(o, x) = a,\xa,2 = da and publicly announces 
this element. This element is her public key. Analogously Bob computes 
the element /?2(6, x) = 61x62 = Vb and publishes this element. 

3. Knowing that 7Ti (a) = x, Alice computes from Bob's public key ^2(6, 7Ti (a)) = 
^2(6, x) = 61x62. Indeed, this computation is trivial, because here ^2(6, i"i(o)) 
is Bob's public key. 

And Bob, knowing 7^(6) = x, computes from Alice's public key /3i(o, 772(6)) = 
Pi(a,x) = a\xo2- Also this computation is trivial. Therefore, here proto- 
col step 3 becomes redundant. 

4. Alice computes Ka = 71 (o, ^2(6, 7Ti(a))) = 01^5^2, and symmetrically 
Bob computes K B = 72(6, /3i(o, 7T 2 (6))) = 61^62- □ 

We have proven that the group DH-KEP is a special case of the AAG-KEP 
for monoids. Nevertheless, not every special case is obvious. Indeed, the group 
DH-KEP does not use the homomorphy property (1) at all. Therefore step 3 
in this specification of the general AAG-KEP (see proof above) became triv- 
ial. This observation motivates us to introduce the following somehow informal 
notion: 

Definition 2.2 We call a key establishment protocol AAG-like if it is an in- 
stance of the general AAG-KEP and it utilizes property (1) in a non-trivial 
way. 
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According to this notion, and contrary to the AAG commutator KEP, the group 
Diffie-Hellman KEP is not an AAG-like KEP, though it can be formally consid- 
ered as an instance of the general AAG-KEP (see Proposition 12. ip . 

2.4 Base Problems 

The following search problems are related with the group based protocols from 
the previous sections. Let G be a group. 

CSP (Conjugacy Search Problem): 
Input: (s : s x ) G G 2 . (s x denotes x~ 1 sx.) 
Objective: Find x' G G such that s x = s x . 

Z-simCSP (I -Simultaneous Conjugacy Search Problem): 
Input: {(s i; sf ) G G 2 \i = 1, . . . , I}. 

Objective: Find x' G G such that sf ' = sf Vi = l,.,.,l. 

subCSP (Subgroup Conjugacy Search Problem): Let if be a subgroup of G. 
Input: (s, s x ) G G 2 with x G H < G. 
Objective: Find x' G H such that s x ' = s x , 

Z-ssCSP (I -Simultaneous Subgroup Conjugacy Search Problem): 
Input: {(s,, sf ) G G 2 |i = 1, . . . , m} with x e H c G. 
Objective: Find x' e H such that sf = sf Vt = 1, . . . , 

AAGP (Anshel-Anshel-Goldfeld Problem): Let A = (ai, . . . , aj.) and B = (b\, . . . , & m ) 

be two f.g. subgroups of G. 
Input: {{a^af) G G 2 |i = 1, . . . , fc} U {(b h b x ) G G 2 |j = 1,...,™} with a; G 4 

and y £ B. 
Objective: Find K := x~ 1 y~ 1 xy. 

KLP (Ko-Lee Problem - a Diffie-Hellman version of the GCSP or CDP): Let A, B < 

G with [A,B] = 1. 
Input: (s, s x , s v ) e G 3 with x <e A,y e B. 
Objective: Find K := x~ 1 y~ 1 sxy. 

DCP (Double Coset or Decompositon Problem): Let Hi,H2 < G. 
Input: (s,x\sx2) G G 2 for some x\ G Hi and x 2 G i?2- 
Objective: Find ( 2) G i?i x i?2 such that a^sa^ = Sisa^. 

CDP (Conjugacy Decompositon Problem): 

Input: (s, s x ) G G 2 with x e H <G. 

Objective: Find (2^, £3) G # 2 such that X 1 S X 2 — S 

DH-DCP (Diffie-Hellman Decompositon Problem): A\ . A2 , -Bi , -B2 subgroups of 

G such that [A;, S f ] = 1 for i = 1, 2. 
Input: (s, zisa^, yisy 2 ) G G 3 with zi G Ai, x 2 G A 2 , yi G £?i, y 2 G -B 2 . 
Objective: Find K := xiyisx 2 y2- 

Indeed, the AAG commutator KEP, the Ko-Lee protocol and the group DH- 
KEP are based on the AAGP, KLP and DH-DCP, respectively. 
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Now, let Pi, Pa be two computational problems. We say Pi is harder than P2 or 
Pi implies P2, written Pi — > P2, if a Pi-oracle provides a solution to problem P2. 

Proposition 2.3. We have the following hierarchy of search problems: 



Z-ssCSP 




AAGP Z-simCSP subCSP DCP 




CSP CDP DH-DCP 




KLP 

Proof. Most of the sketched implications are obvious consequences of the 
definitions. We just prove CDP -> KLP and Z-ssCSP ->■ AAGP: 

1. (see IKL+001 ) The input is a triple (s,s x ,s v ) G G 3 with x e A,y <E B, 
and A,BcG with [A, B] = 1. A CDP-oracle provides (xi, x 2 ) G A 2 with 
X1SX2 = s x . Now we can compute the shared key 

xis y x 2 = xiy~ 1 syx 2 = y~ 1 (xisx 2 )y = y~ 1 (x~ 1 sx)y = K. 

2. Here the input is {(a^af) G G 2 \i = 1, . . . , k}U{(bj, 6|) G G 2 |j = l,...,m} 
with a; G A = (a%, . . . , ak) and y G B = (b%, . . . , b m ). A m-SGCSP-oracle 
provides a x 1 G A with x'~ 1 bjx' = for all j = 1, ...,m. And a fc- 
SGCSP-oracle provides a y' G P with y'^aiy' — for all i = 1, . . . , fc. 
Now, since x'~ 1 bjX l — b^ = IV7, we have x' = q,x for 
some Cb G Cg(B). Here Cg(B) denotes the intersection of all centralizers 
Cc(bj) of bj (J = 1, . . . , m) in G. Analogously, we can write y' — c a y with 

Ca g c g (a) = n-=i c G (oi). 

Now, x' £ A implies Cb G A. Therefore we have [c a ,Cf,] = 1, and we can 
compute the shared key 

K' := x'~ x y'~ x x'y' = (c b x)~ 1 (c a y)~ 1 c b xc a y = x^ 1 c b 1 y^ 1 c^ 1 c b xc a y 
= x~ 1 y~ 1 c b ~ 1 c~ 1 c b c a xy = x~ 1 y~ 1 xy = K. □ 

We see, that solving the classical CSP is insufficient for breaking the AAG 
protocol or the Ko-Lee protocol. Furthermore, it is, in general, insufficient to 
solve the l-SCSP to obtain the shared key K of the AAG protocol |SU06j : 
Let x' — c b x G G and y' = c a y G G with c a G Cc{A),c b e Cg{B) be the output 
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of a TO-SCSP-oracle and a /c-SCSP-oracle, respectively. Then we have K' = K if 
and only if [c a , c&] = 1. A necessary condition for [q>, c a ] ^ 1 is q, (jz. A A c a ^ £?, 
which implies x' ^ A A y' ^ B . Otherwise, if x' ^ A, but y' £ B (or vice versa), 
the adversary gets K' = K. 

Alternatively, the adversary could solve the SCSP and the 

MSP [Membership Search Problem): 
Input: x,a\, . . . ,a k e G. 

Objective: Find an expression of word in ai,...,ak (notation x = 

x{a\, . . . , cifc)), if it exists, i.e. if x G (ai, . . . , a^}. 

to break the A AG key agreement scheme |SU06| : 

If a m-SCSP-oracle outputs cL X — CfyX G A, then the MSP-oracle provides the 
word expression x'{a±, . . . , a*;). Now the adversary can compute the shared key 

x'^ 1 x / (a y 1 , ...,a|) = x'~ x x' v = (x^q,)?/ -1 (0,2)2/ = [x,y] = K. 

But we have shown above, that it is not necessary to solve the MSP. 

2.5 Diffie-Hellman key establishment protocol 

Recall the classical Diffie-Hellman key establishment protocol [DH76J. Let G 
be a cyclic group and x an element of big order in G. Alice and Bob have to 
perform the following protocol steps. 

1. Alice chooses a k € Z, computes yA — x k , and sends it to Bob. And Bob 

chooses a I € Z, computes ys — x , and submits it to Alice. 

2. Alice receives ys and computes Ka '■= y%- And Bob receives yA and com- 

putes the shared key Kb '■= y l A = (x k ) 1 = (x l ) k = y B = Ka- 

Proposition 2.4. The Diffie-Hellman key establishment protocol is an instance 
of the Anshel-Anshel-Goldfeld KEP for monoids. Furthermore it is a AAG-like 
KEP. 

PROOF. Here we set Si = £2 = Z and M = N = S A = S B = (x). For i = 1, 2, 
we define the functions 7^ : Z x (x) — > (x) and 7Tj : Z — > (x) by 

Pi{k,y) = y k , 7i(k,y)=y and Tn(k)=x k . 

Then, for i = 1,2, condition (1) holds for all 2/1,2/2 € Af, because A/ = (x) is 
cyclic, and therefore abelian: 

Pi(k,yi ■ 2/2) = (2/i2/2) fc = 2/i'2/2 = A-(A,i/i) ■ A(fc,2/ 2 ). 

Note that exponentiation is only a homomorphism if the monoid M is abelian. 
Further, condition (2) holds, because it is assumed to be hard to determine 
k G Z from j3(k,x) = x . The computational problem is well known as the 
Discrete Logarithm Problem (DLP). 
And (3) is satisfied, because we have for all k, I G Z: 

7 i(fe,/3 2 (/,7ri(fe))) = (3 2 (l,x k ) = (x k ) 1 = (x l ) k = ^(k,x l ) = l2 (l, ^(k, n 2 (l))). 

This proves that the conditions (l)-(3) are fulfilled. It remains to show that 
the protocol steps 1.-2. of the Diffie-Hellman KEP are specializations of the 
protocol steps 1.-4. of the general AAG-KEP. 
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1. Alice generates an element k G Si = Z such that TT\(k) — x k G (m) = SU, 
and Bob chooses a / G S2 = Z s.t. 7T2(7) (x) = 5g. 

2. Alice computes the element /3i(k,x) = x k — yA and publicly announces 
this element. This element is her public key. Analogously Bob computes 
the element p2(l,x) = x l = ys and publishes this element. 

3. Knowing that 7Ti (fc) = x k , Alice computes from Bob's public key fail, 7Ti (k)) = 
02{l,x k ) = (x k ) 1 = (x l ) k = yg. And Bob, knowing 772(1) — x, computes 
from Alice's public key /3i(k, 7r 2 (Z)) = /3i(k,x l ) — (x l ) k = (x k ) 1 = y l A . 

4. Alice computes Ka = 7i(fc> $2(1, 7r i(^))) = ^2(1, ^i(k)) = y^, and sym- 
metrically Bob computes Kb = 72^, Pi(k, 112(1))) — /3i (fc, 7T2 (/)) — Va- 
Since this is exactly the output of the computation in step 3, here step 4 
is redundant or trivial. 

Let us recall and emphasize that in step 3 the homomorphy property (1) is used 
in a nontrivial way. For example, Alice knowing iti(k) = x k = x ■ ■ ■ x y =: Wk(x) 

k times 

can compute 

y% = ((3 2 (l,x)) k = (x l ) k = w k (x l )=x^xl^ (x_^x) 1 

k times k times 

= (w k (x)) 1 = (x k ) 1 = p 2 (l,w k (x)) =y9a(i,7r 1 (fe)). 
Therefore, we may view the classical DH-KEP as an AAG-like KEP. □ 

2.6 Sakalauskas, Tvarijonas and Raulynaitis Key Estab- 
lishment Protocol (STR-KEP) 

The following KEP is a natural hybrid of the classical DH-KEP and the Ko- 
Lee-KEP. It was introduced in 2007 by Sakalauskas, Tvarijonas and Raulynaitis 
in |STR07| 

Let G be a (noncommutative) group and A, B a pair of commuting subgroups 
in G. Furthermore, let x be a "generic" element in G. Alice and Bob have to 
perform the following protocol steps. 

1. Alice generates her secret key (k, a) G Z x A. And Bob selects his private 
key (I, b) G Z x B. 

2. Alice computes yA = a~ 1 x k a and sends it to Bob. And Bob computes 
ys = b~ 1 x l b and submits it to Alice. 

3. Alice receives ys and computes Ka ■= a~ l y^a. And Bob receives yA and 
computes the shared key 

K B := b- 1 y l A b = b- 1 (a- 1 x k a) l b = b- 1 (a- 1 (x k ) l a)b 

= a- 1 (b- 1 (x l ) k b)a = a-^b^^bfa = aT Y y k B a = K A . 

Proposition 2.5. The Sakalauskas, Tvarijonas and Raulynaitis Key Establish- 
ment Protocol is an instance of the Anshel-Anshel-Goldfeld KEP for monoids. 
Furthermore, it is an AAG-like KEP. 
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PROOF. Here we set Si = Z x A, S 2 = Z x B, M = S A = S B = (x) and N = G. 
For i = 1,2, we define the functions /3j : Si x (x) — > G and 7Tj : Si —> (x) by 

Pi((k,z),y) = z~ 1 y k z, Ji((k,z),y) = z~ l yz and ir^k) = x k . 

Then, for i — 1,2, condition (1) holds for all y, y' £ M: 

(3i((k, z), yy') = z-\yy') k z = z~ 1 y k z ■ z^y^z = fa((k, z), y) ■ (3 t ((k, z),y'). 

Further, condition (2) holds, because it is assumed to be hard to determine 
k £ Z and z £ G from /3((k,z),x) — z~ 1 x k z. The computational problem is a 
"mixed problem" requiring to solve simultaneously the DLP and the CSP (see 
|STRt)7p . 

And (3) is satisfied, because we have for all k, I G Z, a £ A, b £ B: 

y 1 {{k,a),p 3 ((l ) b),ir 1 {k ) a))) = a^/MG, &), x k )a = a-^b'^x^a 

= b- 1 a- 1 (x l ) k ab = b- 1 /3 1 ((k ) a) ) x l )b = l2 ((l,b),p 1 ((k,a),7r2(l,b))). 

This proves that the conditions (l)-(3) are fulfilled. It remains to show that 
the protocol steps 1.-2. of the Diffie-Hellman KEP are specializations of the 
protocol steps 1.-4. of the general AAG-KEP. 

1. Alice generates an element (k, a) £ Z x A such that n\(k 1 a) = x k £ (x) = 
Sa, and Bob chooses (l,b) G Z X B s.t. 7^(7, b) = x l £ (x) = Sb- 

2. Alice computes the element j3±((k, a), x) — a~ 1 x k a = yA and publicly 
announces this element. This element is her public key. Analogously 
Bob computes the element j32((l,b),x) — fe^ 1 ^?) = y B and publishes this 
element. 

3. Knowing that 7Ti(/c, a) = x k , Alice computes from Bob's public key ^((l, b), 7Ti (fc, a)) = 
/3 2 ((l,b),x k ) = b~ l {x k ) l b = {b- 1 x l b) k = y k . And Bob, knowing tt 2 (Z, 6) = 

x, computes from Alice's public key /3i((fc, a), ir 2 (l, b)) = 0i((k, a),x ) — 
a^ 1 {x l ) k a = (a~ 1 x k a) 1 = y\. 

4. Alice computes K a = 7i((&, a), fcdl, b), ni(k, a))) = a _1 /32((^, b), ni (k, a))a = 
a~ 1 y B a, and symmetrically Bob computes K b — J2{{1> b), /3i((k, a), TT2(l, &))) = 
6- 1 /? 1 ((fc,a),7r 2 (;,6))6 = a- 1 y>. 

Let us recall and emphasize that also here in step 3 the homomorphy property 
(1) is used in a nontrivial way. For example, Alice knowing 7Ti(fc, a) — x k — 
x - j x =: Wk(x) can compute 

k times 

Vb = (I32((l,b),x)) k = (b- 1 x l b) k = w k {b- 1 x l b) = b- 1 x l b- - -b- 1 x l b 

k times 

^ b- 1 (x_-x) l b = b-^Wkixtfb = b-\x k ) l b = /3 2 ((/,6),7n(fc,a)). 

k times 

Therefore, we may view the STR-KEP as an AAG-like KEP. □ 
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3 Key establishment using non-associative oper- 
ations 

3.1 A AG scheme for magmas 

Monoids are proposed as algebraic platform structures for the AAG key agree- 
ment protocol in [AAG99| . But the monoid structure is only used in the AAG 
scheme in order to guarantee that the secret key, e.g. Alice's key a, is an uniquely 
defined product of some given generators {si , . . . , s m }, i.e. a = r\ ■ r 2 ■ ■ ■ 7"fe with 
Ti G {si, ■ ■ ■ , s m } for all i. It is, of course, no problem to introduce brackets in 
this expression in order to handle nonassoziative operations. Therefore, there 
exists a straightforward generalization of the AAG scheme from monoids to 
magmas. 

A magma (sometimes also called grupoid) (M, *) is a set M equipped with a 
binary operation * on M, i.e. a function M x M M . Note that there are 
no relations, which have to be satisfied by the elements of M. The notion of a 
magma was introduced by N. Bourbaki (see, e.g., |Bo74j ). 

We describe the AAG key establishment protocol in the - for our purposes - 
most general manner. 

For i = 1,2, let Si be a sets and (M, »j) and (N, c^) be magmas, i.e. there are 
two operations on the sets M, N, respectively. For i = 1, 2, we need functions 

ft : Si x M -+ N, 7i : ft x A -» A, tt; : $ -> M 

which satisfy the following three conditions: io 

(1) /3i (x, •) : (M, #2) — > (A, o 2 ) is for all x G Si a magma homomorphisn^, i.e. 

Vx € Si,y,y' e M : Pi(x,y « 2 y') = Pi(x,y) o 2 /3i(x,y'). 
Also ft(x, •) : (M, »i) — » (A, oj) is for all x € S2 a magma morphism, i.e. 
Vx g S 2 , y, y' G M : ^ 2 (a?, 2/ »i y') = ^2(2;, y) °i ^(a;, y')- 

(2) It is, in general, not feasible to determine a secret x G Si (i = 1, 2) from the 

knowledge of 

2/1,2/2, ■ • ■ ,2/fe G M and ft(x, yi), ft (x, y 2 ),..., ft (1, 2/fe). 

(3) For aU a € Si,b € S 2 : 71 (a, &(&, ^(a))) - 72(6, ft (a, tt 2 (6))). 

Consider an element y of a magma (M, •) which is an iterated product 
of other elements in M. Such an element can be described by a planar rooted 
binary tree T whose k leaves are labelled by these other elements yi, . . . , y^ 6 M. 
We use the notation y = T.(yi, . . . , yjft Here the subscript • tells us that the 
grafting of subtrees of T corresponds to the operation •. 

Now, it is easy to prove by induction that any magma homomorphism /3 : 
(M, •) -4 (A, o) satisfies 

ftT.(y 1 ,...,y fc ))=T (fty 1 ),...,ft(y fc )) 
4 More on magmas and magma homomorphisms can be found, e.g. in [Se65 Ge94 . 
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for all yi,...,yk G M. In particular, the magma morphisms ft (a;, •), ft (a;, •) 
(x G ft fulfill this property. 

Alice and Bob publicly assign sets {si, . . . , s m }, {ti, . . . , t n } C M, respectively. 
The secret key spaces SKa , SKb of Alice and Bob are subsets of ft , ft , re- 
spectively, and they depend on these public elements. It is sufficient that ft, ft 
fulfill condition (1) only for all x G SKa, SKb, respectively, and that condition 
(3) holds for all a G SK A , b G SK B . 

Now, Alice and Bob perform the following protocol steps. 

1. Alice generates her secret key a G SKa, and Bob chooses his secret key 

be SK B . 

2. Alice computes the elements ft (a, ii), . . . , ft(a, i„) G -/V, and sends them to 

Bob. Analogously Bob computes the elements ft(6, si), . . . ,02$, s m ) G 
iV", and sends them to Alice. 

3. Alice, knowing tti (a) = T.j (r±, . . . , r^.) with G {si, . . . , s m }, computes from 

Bob's public key 

T 01 {/3 2 (b, n), . . . , 182(6, r*)) = /3 2 (6, T #1 (n, . . . , r fe )) = ft (6, tti (a)). 

And Bob, knowing j>2(6) = T' %2 (u\, . . . , uy) with Uj G {ti, . . . , i n }, com- 
putes from Alice's public key 

T' 03 {(3\{a,u{), . . . ,pi{a,Uk>)) = pi{a,T'. 2 (ui, . . .,u k >)) = ft (a, tt 2 (6)). 

4. Alice computes K :— 71 (a, ft(6, %x(a))). Bob also computes the shared key 

72 (6 ) ft(a,7r 2 (6))) = K. 

Note that the protocols described in section 12.11 are special instances of this 
general A AG like protocol for magmas. 

A natural special case of this scheme is given by M = N = S\ = 82- This implies 
that the functions ft, 7^, for i = 1, 2, induce further binary operations on M. If 
additionally »j = holds for i = 1,2, then M satisfies some distributive laws. 
This will lead to the notion of LD- and multi-LD-systems (see section!?]). 
Another specification of our general magma-based scheme is discussed in the 
next subsection. 

3.2 Non-associative KEP based on simultaneous DCP 
3.2.1 Specifications 

We consider the following specifications of the A AG scheme for magmas: 
Let G = M = N be a group, and set Si = ft = G 2 . The group multiplication 
symbol in G will usually be omitted. The operations •i,o i (i = 1,2) on G are 
defined by 

x »i y = x » 2 y — x o x y — x o 2 y = x • y := xy~ x x, 
and the functions ft , ft : G 2 x G — > G are defined by 

Pi{{xi,x 2 ),y) = /3 2 ((xi,x 2 ),y) = f3((xi,x 2 ),y) := xiyx 2 . 
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(3(x, •) fulfills the homomorphy condition (1), for all x = (xx,x 2 ) £ G 2 , because 

(3((xi,x 2 ),yi) • P((xx,x 2 ),y 2 ) = (xiyix 2 ) • (x 1 y 2 x 2 ) = 
(x 1 y 1 x 2 )x2 1 y 2 1 x^ 1 (x 1 y 1 x 2 ) = Xx(yxy 2 1 yi)x 2 = (3((xx, x 2 ), y 1 • y 2 ). 

Alice and Bob publicly assign sets {s\, . . . , s m }, {t\, . . . , t n } C G, respectively. 
The secret key spaces of Alice and Bob are SKa = G x Sa and SKb = Sb xG, 
where Sa = (sx, ■ ■ ■ , s m )» and Sb — (tx, ■ ■ ■ , t n ) m denote submagmas of (G, •) 
generated by the publicly assigned elements. 

The projections 7i"i i f2 : G 2 — >• G and the functions 71,72 : G 2 x G -> G are 
defined by 

TTi = V, n 2 (x,y) = a; and 71 ((n, x 2 ), y) = Ziy, 72(^1, x 2 ), y) = ya: 2 . 

These definitions satisfy condition (3), because 

7i(a,y8(6,7ri(a))) = 71 (a, /3(b, a r )) = ji(a,bia r b r ) = ai(bia r b r ) 
= (aibia r )b r = j 2 (b,aibia r ) = j 2 (b,j3(a,bi)) = 72(6, /3(a, 7T 2 (6))) 

for all a = (a;, a r ), 6 = (bi,b r ) e G 2 . 

We skip repeating all the protocol steps from section 13.11 with these specifica- 
tions. The base problem for these non- associative scheme is discussed in the 
next subsubsection. 

3.2.2 A related non-commutative scheme 

Consider the right part of Alice's key a r = T,(rx, . . . , rk) £ Sa with r$ £ 
{si, . . . , s m }. If we view a r as a word in the Si's, then we observe that a r is 
self-reverse and the exponent signs of a r alternate, beginning and ending with 
a positive sign. For example, we have 

(n • r 2 ) • (r 3 • (r 4 • r 5 )) = r 1 r7 L 1 r 1 r1 1 r^ 1 r±r1 1 r 1 r 2 ~ 1 r 1 . 

While in this scheme alternating exponent signs are essential to gurantee that 
condition (1) holds, the self-reverse property seems to be superflous. It comes 
from the self- reverse property of the non-associative operation •. Anyway, for 
example in order to compute bia r b r , Alice actually doesn't need to know a r as 
a tree- word in the submagma (s±, . . . , s\m) m . Rather it suffices to know a r as 
an "alternating" word of the form Sj 1 s~ 1 Si 3 • • • S{ 21+1 . 

Therefore, we give up this restricted key choice and define modified (bigger) 
secret key spaces by SKa — G x SK A r ^ and SKb = SK 1 ^ x G with 

SK ( l ] = {nr^r^ 1 ■■■r~ l 1 r 2l+1 | r 4 € . ,s m } VI <*</,/€ N}, 

SK$ = {uxu 2 l uzul l ■■■u^u 2V+ x I e {ti,..., t„}Vl< j <l',l'e N}. 
Then, Alice and Bob have to perform the following protocol steps. 

1. Alice generates her secret key (et/,a r ) £ G x SK^K Bob chooses his secret 

key (b u b r ) £ SK<£> xG. 

2. Alice computes the elements aitxa r , . . . , ait n a r , and sends them to Bob. 

Analogously Bob computes the elements bis\b r , . . . ,bis m b r , and sends 
them to Alice. 
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3. Alice, knowing a r — r\r 2 1 r$r 4 1 • • • r 2 , r^i+i with fj G {si,...,s m }, com- 

putes from Bob's public key 

{bir 1 b r )(bir 2 b r )~ 1 {bir 3 b r ) ■ ■ ■ {bir 2 ib r )~ 1 (bir 2 i+ib r ) 
= 6 i (rir^ 1 r 3 • • • r^r-2i+i)b r = bia r b r . 

Bob, knowing bi = uiu^u^u^ 1 ■ ■ ■ u 2i , 1 U2;'+i with Uj G {t\, . . . , t n } : com- 
putes from Alice's public key 

(aiu 1 a r )(aiu 2 a r y 1 (aiU3a r ) ■ ■ ■ (ojUaJ' a r ) _1 {aiu 2 i> +ia r ) 
= a^uiu^u?, ■ ■ ■ U2^u 2 v + i)a r = aibia r . 

4. Alice computes K :— ai(bia r b r ) . Bob also computes the shared key (aibia r )b r = 

K. 

It is easy to show that this scheme is a further instance of the generalized 
AAG scheme for monoids (section 12.11) . Therefore one simply has to turn the 

(r) (I) 

sets SK A and SK B into monoids by introducing some "forgetful" operations 
as exercised, e.g., in the proof of 12.11 

In order to break this scheme an attacker obviously has to solve the following 
Base Problem: 

Input: Element pairs (si, s[), . . . , (s m , s' m ) G G 2 and (ii,^), . . . , {t n ,t' n ) G G 2 
with s'- = biSib r VI < i < m and tj = aitjd r VI < j < n for some 

(unknown) ai,b r G G, 6; G a r G SK^. 

Objective: Find K = aiha r b r . 

A successful attack on Alice's secret key requires the solution of the following 

n-simDP (n-Simultaneous Decomposition Problem): 

Input: Element pairs (ti,t[), . . . , (t n , t' n ) G G 2 with t'j = ait 3 a r VI < j < n for 

some (unknown) ai G G, a r G SK^\ 
Objective: Find elements a[ G G, a' r G Slf^" with a! l t 1 al r = t'j for all j = 

l,...,n. 

A solution {a[,a' r ) to this n-simDP satisfies the property a'iya' r — aiya r for all 
yeSK%. 

Analogeously, a successful attack on Bob's secret key requires the solution of 
the following 

m-simDP (m-Simultaneous Decomposition Problem): 

Input: Element pairs (s\, s[), . . . , (s m , s' m ) G G 2 with = biSib r VI < i < m 

for some (unknown) 6; G SK^\ b r G G. 
Objective: Find elements b[ G SK^\ b' r G G with 6Js 4 6^, = s£ for all i = 

1, . . . ,m. 

A solution (&J,&^,) to this m-simDP satisfies the property b^xb'^. = bixb r for all 
x G S-fT^- 

Therefore, a solution to both problems provides the attacker with the shared 
secret, because 

(afya'^br = (aib'^r)^ = a;(6ja r &^) = ai(bia r b r ) = K. 
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Here the first and the last equality hold, because b\ G SK B ' and a r G SK^\ 
respectively. Alternatively, we can use equality chain 

a'^a'rb'r) = a'i(bia' r b r ) = (ajfya£.)& r = (a/6;a r )6 r = K, 

where here the first and the last equality hold, because a' r G SK^ and bi G 
SKg\ respectively. Further, the first equality chain shows us, that it is sufficient 
to find a solution {a[,a' r ) G G 2 to the n-SDP and a solution (b[, b' r ) G SK£' x G 
to the ra-simDP. Analogously, the second equality chain shows us, that it is 
sufficient to find a solution (aj,aj,) G G x SK^ to the n-SDP and a solution 
(b[, b' r ) G G 2 to the m-simDP. 

Note that the knowledge of one secret key, e.g. Alice's key (a;, a r ) G G x SK^ \ 
is not sufficient for an attacker to obtain the shared secret K, because he needs 
not only a r expressed in the generators of the group G, but rather an expression 
of the form 

a r = nr^r^ 1 ■ ■ -rj/^i+i with n G {si, . . . , s m }. 

Remark. An attacker might approach an n-simDP instance {(£i,tO}«<n by 
considering the (™)-ssCSP instance {{t'iit'j) -1 ,UtJ ) | 1 < i ^ j < n} or the 
(™)-ssCSP instance {(t^ 1 tj, | 1 < i ^ j < n} in order to solve for a; or 

a r , respectively. For example, in the latter case, we have 

a-HrhjOr = (a- 1 i i " 1 a;- 1 )(a/i j a r ) = (t-)" 1 ^- 

Therefore, either the simultaneous (subgroup)-CSP has to be hard in G, or, 
if the simCSP is (at least heuristically) approachable in G, it is recommended 
that the sets {t~ 1 tj \ 1 < i ^ j < n} and {titj 1 | 1 < i ^ j < n} have large 
centralizers. This may be ensured by if the set {ti, . . .,t n } itself has a large 
centralizer, an thus also Sb- s Similarly Sa should have a large centralizer. 

3.3 Non-associative KEP based on simultaneous symmet- 
ric DP 

Here we consider the following specifications of the AAG scheme for magmas: 
Let k, I G N be G = M = N = Si = S2 be a group. The group multiplication 
symbol in G will usually be omitted. The operations (i = 1, 2) on G are 

defined as in the previous subsection by 

x •! y — x » 2 y — x oj y — x o 2 y = x • y := xy~ x x, 

and the functions j3\ , /?2 : G x G — > G are defined by 

Pi{x,y) = x k yx, /3 2 (x,y) = xyx 1 . 

Pi(x, •) (i = 1, 2) fulfills the homomorphy condition (1) for all x G G, because 

Pi{x,y 1 )»p i (x,y 2 ) = {x k y-i_x l ) • (x k y 2 x l ) = 
{x k y 1 x l )x- l y2 1 x~ k (x k y 1 x l ) = x k (y 1 y^ 1 y 1 )x l = Pi(x, y x • y 2 ), 

where either k — 1 or I — 1. 

Alice and Bob publicly assign sets {s\, . . . , s m }, {t\, . . . , t n } C G, respectively. 
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The secret key spaces of Alice and Bob are the submagmas Sa — (s\, • ■ • , s m ), 
and Sb — {ti, ■ . ■ , t n ) m of (G, •) generated by the publicly assigned elements. 
The projections w± , 7T2 are the identity idc, and the functions 71 , 72 : G x G — > G 
are defined by 

7i(x, y) = x k y, 72 (x, y) = yx l . 
These definitions satisfy condition (3), which gives the shared key 

7i(o,j8(6,7ri(o))) =ji(a,bab l ) = a k bab l = l2 {b,a k ba) = 72(6, /3(a, tt 2 (&))). 

Consider the simultaneous version of symmetrical decomposition problem 
(see [CDWOTII. 

n-sim (fc,i)-SDP (n-simultaneous (fc, ^-Symmetrical Decomposition Problem): 

Input: Integers (k,l) E Z 2 and element pairs (ti,t[), . . . , (t n ,t' n ) e G 2 with 

^ = a k t, ja l Vl<j<n for some (unknown) a E G. 
Objective: Find elements a' E G with a' k tja' 1 = t'j for all j = 1, . . . , n. 

We conclude that an attack on Alice's or Bob's private key has to master an 
n-sim (k, 1)-SDP or an m-sim (1,Z)-SDP, respectively. 

Remark. One may also consider a variant of that KEP where the integers 
k, I are parts of Alice's and Bob's secrret key. In particular, set Si =§2 =ZxG, 
tti = 7T 2 : (p,x) i-* x, /3i((fc,a),y) = a k ya, /3 2 {{l,b),y) = byb 1 , ji((k,a),v) = 
a k v, and 7 2 ((Z,6),i)) = Then an attack, e.g. on Alice's secret key, has 

provide k eZ and a E G such that a^a = ^ for all j. 

4 Non-associative schemes for LD-systems 

4.1 LD- and multi-LD-systems 
4.1.1 Definition 

Definition 4.1. An LD-system (S,*) is a set S equipped with a binary opera- 
tion * on S which satisfies the left- s elf distributivity law 

x * (y * z) = [x * y) * (x * z) Vx, y, z E S. 

Definition 4.2. (Section X.3. in [DeOO]) Let I be an index set. A multi-LD- 
system (S, (*i)jgz) is a set S equipped with a family of binary operations 
on S such that 

x *i (y *j z) = (x *i y) *j (x * l z) Vx, y, z E S 

is satisfied for every i,j in I. Especially, it holds for i = j, i.e., (S,*i) is an 
LD-system. If \I\ = 2 then we call S a bi-LD-system. 

A classical example for an LD-system is given by a group G equipped with 
the conjugacy operation x * y = x~ l yx. We also mention the Laver tables 
(Chapter X in [DeQO]) as standard examples for finite monogenic LD-systems. 
Many examples for LD-, bi-LD- and multi-LD-systems are given in Dehornoy's 
monography [DeOOj. 
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4.1.2 /-conjugacy 



One may consider several generalizations of the conjugacy operation as candi- 
dates for natural LD-operations in groups. Consider an Ansatz like x * y — 
f (x )g[y)h{x) for some group endomorphisms f,g,h. 

Proposition 4.3. Let G be a group, and f,g,h G End(G). Then the binary 
operation x * y = f{x~ l ) ■ g(y) ■ h{x) yields an LD-structure on G if and only if 

fh=f, gh = hg = hf, fg = gf = f\ h 2 = h. (1) 

Proof. A straightforward computation yields 

a* (f3* 7 ) = /(a- 1 ) 3 /(/3- 1 ) 5 2 ( 7 ) ff / l (/3)/ l (a), and 
(a * p) * (a * 7 ) = fhia-^fg^-^fi^gfia-^^ghi^hfia-^hg^ia). 

A comparison of both terms yields the assertion. □ 

The simplest solution of the system of equations (TTJ) is / = g and h = id. 
This leads to the following definition. 

Definition 4.4. (LD- OR /-CONJUGACY,) Let G be a group, and f G End(G). 
An ordered pair (u,v) e G x G is called f -LD- conjugated or LD- conjugated, or 
simply f -conjugated, denoted by u — >>, v, if 3c G G such that v = c * / u — 
/(c" 1 u)c. 

Remark. For any non-trivial endomorphism /, the relation — > lff defines 
not an equivalence relation on G. Even the relation — defined by u — v iff 
3/ G Aut(G) s.t. u — >x f v is not an equivalence relation. Indeed, transitivity 
requires the automorphisms (relation must be symmetric!) to be an idempotent 
endomorphism (/ 2 = /) which implies / = id. 

Compare the notion of /-LD-conjugacy with the well known notion f -twisted 
conjugacy defined by u v (for / G Aut(G)) iff 3c G G s.t. v = /(c _1 )mc =: 
c *j" u, which yields indeed an equivalence relation. On the other hand, the 
operation * tw = is not LD - rather it satisfies the following "near" LD-law: 

a * tw {[3 * tw 7) = (a * tw 0) * tw (a f * tw 7) 
where cr is short for /(a). 

Anyway, it follows directly from the definitions that u — >* v if and only if 
f(u) ~/ v, i.e., any /-LD conjugacy problem reduces to a twisted conjugacy 
problem and vice versa. Here we have to extend the notion of twisted conjugacy 
from / G Aut(G) to all / G End(G). 

4.1.3 Shifted conjugacy 

Patrick Dehornoy introduced the following generalization of /-conjugacy, and he 
points out, that once the definition of shifted conjugacy is used, braids inevitably 
appear [DeOOl lDe06j . 

Proposition 4.5. (Exercise 1.3.20. in [DeOO]) Consider a group G, a homo- 
morphism f : G —± G, and a fixed element a G G. Then the binary operation 

x*y = x *f >a y = fixy 1 ■ a ■ f(y) ■ x 
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yields an LD-structure on G if and only if [a,/ 2 (x)] = 1 for all i£G, and a 
satisfies the relation af(a)a = f{a)af{a). Hence the subgroup H = ({/"(a) | 
n G N}) of G is a homomorphic image of the braid group 

Boo = {{o-i}i>\ I ai(7j = a-jdi for \i - j\ > 2, o i a ] o 1 = aj^aj for \i - j\ = 1) 

with infinitely many strands, i.e., up to an isomorphism, it is a quotient of Boo. 

There exists a straightforward generalization of Proposition 14.51 for multi- 
LD-systems: 

Proposition 4.6. Let I be an index set. Consider a group G, a family of 
endomorphisms (fi)iei ofG, and a set of fixed elements {a.; G G \ i G /}. Then 
(G, with 

x*tV = fi{x~ l ) ■ di ■ fi(y) ■ x 

is a multi-LD- system if and only if fi = fj =: / for all i ^ j , [di, f 2 (x)] = 1 for 
all x G G, i G I, and aif(ai)aj = f(aj)aif(ai) for all i,j G /. 

Proof. A straightforward computation gives 

X * t (y *j z) = Mx~ 1 )a l [f l (f j (y~ 1 ))f l (a :j )f l (f J (z))f t (y)}x, 
(x H y) *j (x * t z) = [/,(o:- 1 )/ J (/ l (^ 1 ))/ J (ar 1 )/ J (/ l ( a; ))]a,[/ J (/ l (^ 1 )) • 
fj(ai)fj(fi(z))fj(x)][fi(x~ l )aifi(y)x\. 

A comparison of both terms yields the assertion. □ 

Note that this proof also contains proofs of Proposition 03] (setting |7j = 1) 
and of the following Corollary 14.71 (setting G — Boo, I — {!> 2}, s = d, *i = *, 
*2 = *, ffli = o~ i and d2 = o-^ 1 ). 

Consider the injective shift endomorphism d : Boo — > Boo defined by cr^ i-> 
(T 1+ i forall i > 1. 

Corollary 4.7. (Shifted conjugacy, Example X.3. 5. in [DeOOj l B m equipped 
with the shifted conjugacy operations *, * defined by 

x * y = dx -1 ■ o~\ ■ dy ■ x, x * y = dx^ 1 ■ a^ 1 ■ dy ■ x 

is a bi-LD-system. In particular, {Boo,*) is an LD-system. 

4.1.4 Generalized shifted conjugacy in braid groups 

In the following we consider generalizations of the shifted conjugacy operations 
* in Boo ■ Therefore we set f — d p for some p £ N, and we choose a, G Bi v for 
alH G J such that 

a l d p (a. i )a 2 = d v {a ] )a l d v {a l ) Vi,jel. (2) 

Since <Zj G i?2p, we have [o», d 2p (x)} = 1 for all x G -Boo- Thus the conditions of 
Proposition 14. 61 are fulfilled, and x*iy = xd p (y)aid p (x^ 1 ) defines an multi-LD- 
structure on Boo- For / — 1, p — 1 and a — &\, which implies H = Boo, we 
get Dehornoy's original definition of shifted conjugacy *. 

It remains to give some natural solutions {a^ G Bi p \ i G 1} of the equation set 
(1). Note that in case |7j = 1 (notation: a\ = a), of course, every endomorphism 
/ of Boo with /(<7i) G £?2p provides such solution a = f(o~i). 
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Definition 4.8 (Definition 1.4-6. in jDeOOl) Let, forn > 2, be 6 n = cr„_i • • • a 2 u\ 
For p, q > 1, we set 

Tp,q = S p+1 d(S p+1 ) ■ ■ ■ d q ^ 1 (S p+ i). 

Since a — £ B2 P fulfills ad p (a)a = d p [a)ad p (a) , it provides a lot of 
(multi)-LD-structures on Boo- 

Proposition 4.9 (a) The binary operation x * a y ~ d p (x~ 1 )ad p (y)x with a = 
a'Tppo!' for some a', a" £ B p yields an LD-structure on Boo if and only if 
[a','a"] = l. 

(b) Let I be an index set. The binary operations x *iy — d p (x~ 1 )aid p (y)x with 
a,} = a'iTpipd" for some oJ^a'l £ B p (i £ I) yields a multi-LD- structure on Boo 
if and only if [a' iy a'j] = [a' iy a"] = 1 for all i, j £ I . (Note that a" and a" needn't 
commute for i j .) 

(c) The binary operations x*iy — d p (x~ 1 )a.id p (y)x (i = 1,2) withai = a^Tp^a", 
0-2 = a 2 T p,p a 2 f or some a i, a i! a 2 5 a 2 G Bp yields a bi- LD-structure on B^ if 
and only if [a[,a'{] — [a^a^'] = [oijOg] = [ a 2J a i] = [ a 'ii a 2] = 1- (Note that a'{ 
and a' 2 ' needn't commute.) 

Another solution We see that there exist infinitely many (multi)-LD-structures 
on Boo. Further examples are provided by Proposition 14.1(71 which, of course, 
admits a lot of variations and generalizations. 

Proposition 4.10 Let be p,p\,pi £ N with pi + P2 = p. The binary operation 
x *a y — d p (x~ 1 )ad p (y)x with 

a = a[d p i(a' 2 )d p i(T P2 ,p)T~la';d p i(4) 

for some a^a" £ B pi , a' 2 ,a' 2 ' £ B P2 yields an LD-structure on Boo if and only 
if[a' l ,a l l] = [a' 2 ,a' 2 l ] = l. 

The proofs of Proposition 14.91 and 14.101 are straightforward computations. 
The reader is recommended to draw some pictures. 

4.1.5 Yet another group-based LD-system 

Though we are sure that it must have been well known to experts, we haven't 
been able to find the following natural LD-operation for groups in the literature. 
For a group G, (G, o) is an LD-system with x o y = xy x. 

Note that, contrary to the conjugacy operation *, for this "symmetric decom- 
position" or conjugacy operation o, the corresponding relation — > a defined by 
x — s-o y iff 3c £ G such that y — c o x) is not an equivalence relation. In 
particular, — > a is reflexive and symmetric, but not transitive. 
One may consider several generalizations of this symmetric conjugacy operation 
o, as candidates for natural LD-operations in groups. Consider an Ansatz like 
x o y = f(x)g(y )h(x) for some group endomorphisms /, g, h. 

Proposition 4.11. Let G be a group, and f,g,h £ End{G). Then the binary 
operation x o y = f(x) ■ g(y~ 1 ) ■ h(x) yields an LD-structure on G if and only if 

f = f, fh = gh = fg, hg = gf = hf, h 2 = h. (3) 
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Proof. A straightforward computation yields 



ao(/3o 7 ) = f(a)gh(fi- 1 )g i {rf)gf(fi- 1 )h(a), and 
(a o p) o (a o 7 ) = / 2 (a)/sC8- 1 )//i(a)fl/i(a- 1 )5 2 (7)s/(a- 1 )/i/(a)ftfl( i 8- 1 )ft 2 (a). 



A comparison of both terms yields the assertion. □ 

Except for / 2 = / = g = h = h 2 , the simplest solutions of the system of 
equations Q are f 2 =f = g and h = id, or / = id and g = h = h 2 . 

Corollary 4.12. (LD- OR /-symmetric CONJUGACY,) Let G be a group, and 
f 6 End(G) an endomorphism that is also a projector (f 2 — f). Then (G, o*) 
and (G, °j? v ), defined by x Of y = f(xy)x and x o^ ev y = xf(y^ 1 x), are LD- 
systems. 

Proposition 4.13. Let G be a group, and f,g g End{G). 

(i) Then the binary operations Of and *f (and *^ ev ), defined by x Of y = f(x) ■ 

5(y _1 ) • K x ) and x *f y = fi^ 1 ■ v) • H x ) ( x *7 V v = x • fiv • x ~ 1 ))> are 

distributive over o. In particular * (V cv ) is distributive over o. In short, the 
following equations hold. 

x * / (y o z) = (x * f y) o (x * / z), x of (y o z) = {x of y) o (ojz)Vx, y,z e G. 

(ii) The operations Of and */ (* T f v ) are distributive over o g if and only if f — 



4.2 Non-associative A AG /-commutator KEP 

Now we consider the most natural special case of our general AAG scheme for 
magmas (see section ETTj) . Let be M = N = S. This implies that the functions 
/3i,7i, for i = 1,2, induce further binary operations on M. In particular, we 
introduce the notation x *iy = /3i(x,y). Now, the homomorphy condition (1) 
(in section l3TTj) reads as 



If «j = Oj holds for i = 1,2, then M fulfills two distributive laws. And if 
additionally 02 = 02 = *!= * 2 =: *, then (M, *) is an LD-system. 
We observe that LD-systems occur in a very natural special case of the general 
AAG scheme for magmas. Nevertheless, this does not imply that we get by that 
construction KEP's for all LD-systems. Indeed, in order to obtain a shared key, 
we have to specify the projections m and binary operations ji which themselves 
depend on the specification of the LD-operation *. In the following we set 
7T,; = idju for i = l,2. 

Now, we establish a (non-associative) AAG-KEP for groups with /-conjugacy 
as LD-operation. Let M = G be a group, / € End(G), then (G, +) with * = *f 
(see Def. I4.4[) is an LD-system according to Proposition 14.31 

Definition 4.14. (^/-COMMUTATORS Let G be a group, and f 6 End(G). The 
/-commutator of an ordered pair (u,v) £ G x G is defined by 

[u,v]f := u~ 1 f{v~ 1 )f(u)v. 



gf = fg- 



x *i (y »2 y') 
x *2 (y »i y') 



(x *x y) o 2 (x *i y') and 

(x * 2 y) °i (x * 2 y')- 
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The AAG f -commutator KEP is given by the following further specifications 
of the general AAG scheme for magmas (section 13.1(1 . 

7i(u, v) = U^ 1 !!, 72 (w, v) — v~ 1 u. 

Now, Alice and Bob perform the following protocol steps. 

1. Alice generates her secret key a in the public submagma Si — (s±, • • • , s m )* 

of (G, *), and Bob chooses his secret key b £ S2 — • • • , 

2. Alice computes the elements a * ti, . . . , a * t n £ G, and sends them to Bob. 

Analogously Bob computes the elements b * si, . . . , b * s m £ G, and sends 
them to Alice. 

3. Alice, knowing a — T*(ri, . . . , r k ) with £ {si,...,s m }, computes from 

Bob's public key 

T*(b*n,...,b*r k ) = b* T,(ri, . . . , rjk)) = & * a = /(6" 1 a)6. 

And Bob, knowing 6 = T^iui, . . . ,Uk>) with € {tx, . . . , t n }, computes 
from Alice's public key 

T*(a * ui, . . . ,a * u k f) = a*T„'(ux, . . . ,uw) =a*b= f(a~ 1 b)a. 

4. Alice computes K := 71 (a, 6 * a) = a _1 (6 * a) = a~ 1 f(b~ 1 a)b = [a, b]f. Bob 

gets the shared key by 72(6, a * 6) = (a * 6) _1 fe = (f(a~ 1 b)a)~ 1 b = K. 

In order to break this scheme an attacker obviously has to solve the following 
base problem. 

/-AAGP (/ -Commutator A AG -Problem): Let (G, *) be a group with a * (3 — 
f{a- 1 P)a for some / £ End{G). Furthermore, let A — (01, • • • >ife)* and 
_B = (61, ... , &,„)* be two f.g. submagmas of (G, *). 

Input: {{a^y * a*) £ G 2 \i — 1, . . . , k} U {(67,2; * 6 3 ) £ G 2 \j = 1, . . . , m} with 
a; £ A and y € B. 

Objective: Find the /-commutator [x, y]f := x~ 1 f(y~ 1 x)y. 

But a successful attack on Bob's secret key requires at least the solution of 
the following 

rn-sim /-CSP (m-Simultaneous /-Conjugacy Search Problem): 

Input: Pairs (si, si), . . . , (s m , s^) £ G 2 with = b*Si — f(b~ 1 s l )b VI < i < m 

for some (unknown) b E G. 
Objective: Find an element b' E G with f(b'~ 1 s l )b' = f(b~ 1 s i )b' for all i = 

1, . . . ,m. 

Even if one solves that problem, one might have not found Bob's original 
secret b. This raises the question of how rigid solutions to the simultaneous 
/-CSP are. A vague indication for some kind of rigidity is the fact that f(b'b~ l ) 
and b'b^ 1 are conjugated with every f(si) (1 < i < m) being a valid conjugator. 
Anyway, even if an attacker finds Bob's original key &, then she still faces the 
following problem. 
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*/-MSP (* j-submagma Membership Search Problem): 
Input: b,t\, . ..,t n e G. 

Objective: Find an expression of b as a tree- word in the submagma (t\ , . . . , £ n )* , 
(notation b = T*Au\, . . . ,Uk) for Ui G {tj}j< n ), if it exists. 

Another approach is to attack (additionally to Bob's secret key) also Al- 
ice's key, i.e., to solve for the n-simultaneous /-CSP-instance {{tj,t'j)}j< n with 
t'j = f( a ~ 1 tj) a - An oracle to that problem provides an element a' £ G such 
that t'j — f(a'~ 1 tj)a! for all j. Then the attacker hopes that computation of the 
/-commutator [a', b']f =: K' might give her the shared key K — [a, b]f. 
Though the /-CSP seems to be particulary interesting for non-invertible endo- 
morphism / G End(G), here we compare K' with K for the simplest case where 
/ G Inn(G), i.e., there exists an element p G G s.t. f(x) — p~ 1 xp. Then it is 
easy to show that b'b^ 1 =: c\ lies in Ccisip), and a'a -1 = c 2 G f]^ Ccitjp). 
A straightforward computation gives 

K 1 = a!- x p- x b'- x a!pb' = a- 1 c^ 1 p- 1 b- 1 c^ 1 c 2 apc 1 b. 

We conclude that K' = K if [ci, C2] = [ci, ap] — [02, bp] = 1. But, in general, we 
have Ca{ap) ^ ^Coisip) and Ccibp) ^ f]- Ccitjp). Therefore, even in the 
case of / G Inn(G), we can't hope to reduce the /-AAGP to a simultaneous 
subgroup CSP, as we have done it for the classical AAGP in Proposition 12.31 
Nevertheless, as in the remark at the end of section 13.2.21 one may approach 
an n-sim /-CSP instance {{ti,t'i)}i<n by considering the (™)-simCSP instance 
{{t~ 1 tj, (^) ^j) I 1 ^ * 7^ J — n } m 01 'der to solve for a. Indeed, here we have 

a-Hrh.a - (a- 1 /(^ 1 a))(/(^ 1 ^)«r) = 

Therefore, either the simultaneous CSP has to be hard in G, or, if the simCSP 
is (at least heuristically) approachable in G, it is recommended that the sets 
{t~[ 1 tj I 1 < i j < n} and {titj 1 \ 1 < i ^ j < n} have large centralizers. This 
may be ensured by if the set {ti, . . . , t n } itself has a large centralizer. Similarly 
{si, . . . , s m } should have a large centralizer. 

4.2.1 An example in pure braid groups 

Here we a concrete suggestion for the group G and the endomorphism / G 
End(G). Let G be the n-strand pure braid group P n . For some small integer 
d > 1, consider the epimorphism r/d : P n — > P n -d given by 'pulling out' (or 
erasing) the last d strands, i.e. the strands n — d + 1, . . . , n. Recall the shift 
map d, and note that d d (P n ^d) < Pn- Now, we define the endomorphism 
/ : P n — > P n by the composition / = d d o r\. 

4.3 Non-associative AAG shifted commutator KEP in braid 
groups 

Here we establish a (non-associative) AAG-KEP for braid groups with shifted 
conjugacy as LD-operation. Recall from Corollary 14.71 that the braid group 
(Boo,*,*) forms a bi-LD-system. Also recall the definition of shift endomor- 
phism d. 



24 



Definition 4.15. (shifted commutator) The shifted commutator of an or- 
dered pair (u, v) G is defined by 

[u,v]sh := u~ 1 d(v~ 1 )aid(u)v. 

The A AG shifted commutator KEP for the bi-LD-system (Boo, *,*) is given 
by the following further specifications of the general AAG scheme for magmas 
(section 13. ip . 

Set M = N = S = Boo, 7Ti = id M , Pi(x,y) =: x * t y, = o l = *, : for i = 1,2, 
and 

x *iy = x*y = d(x~ 1 )ai 1 d(y)x, x *2y = x * y = d(x~ 1 )aid(y)x, and 
7i(u, v) — u V , 72 u) = v u. 

Now, Alice and Bob perform the following protocol steps. 

1. Alice generates her secret key a in the public submagma Si = (s±, • • • , s TO )* 

of (Boo, *, *), and Bob chooses his secret key b G S2 = (ti, ■ ■ ■ , i n )*- 

2. Alice computes the elements a*ti, . . . , a*t n G G, and sends them to Bob. 

Analogously Bob computes the elements b * si, . . . , b * s m G G, and sends 
them to Alice. 

3. Alice, knowing a = 2* (7*1, . . . , r^) with G {si,...,s m }, computes from 

Bob's public key 

T i (b*n,...,b*r k )=b*T,(n,...,r k ) = b*a = d(b- 1 )aid(a)b. 

And Bob, knowing b = T'^(ui, . . . ,uy) with Uj G {ti, . . . ,t n }, computes 
from Alice's public key 

Tl(a*ui, . . . , a*Ufc/) = a*T^(ui, . . . , uy) — a*b — 9(a _1 )crf 1 d(b)a. 

4. Alice computes K := 71 (a, & * a) = a _1 (6 * a) = a~ 1 d(b~ l )aid(a)b = [a, b] s h- 

Bob gets the shared key by 72 (6, a*b) = (a*b)~ 1 b = (d(a~ 1 )o-^ 1 d(b)a)~ 1 b — 
K. 

In order to break this scheme an attacker obviously has to solve the following 
base problem. 

sh-AAGP (shifted Commutator AAG-Problem): Consider the bi-LD-system (-Boo, *, *). 
Let A = (ai, . . . , dfc)* and B = (bi, . . . ,b m ) be two f.g. submagmas of 

(Boo,*,*)- 

Input: {(a,, y * ai) G G 2 \i = 1, . . . , k} U {(63, ac*6j) G G 2 |j = 1, . . . , m} with 
x <E A and y € B. 

Objective: Find the shifted commutator [x, y] s h '■= x" 1 d(y~ x )aid(x)y . 

But a successful attack on Bob's secret key requires at least the solution of 
the following 

m-sim sh-CSP (?n-simultaneous shifted Conjugacy Search Problem): 
Input: Pairs (s\, s[), . . . , (s m , s' m ) G G 2 with s- = b * s, = d(b~ 1 )(Tid(s i )b 
VI < i < m for some (unknown) b G G. 
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Objective: Find an element b' <E G with d(b'- 1 )a 1 d(s i )b' = d(b- 1 )a 1 d(s i )b' 
for all i = 1, . . . , m. 

As in the case of /-conjugacy, one may argue that finding b is not sufficient, 
since the attacker still faces a submagma MSP for (-Boo, *, *)• Furthermore, as 
for *f, one may show that solving two simultaneous sh-CSP's (for Alice's and 
Bob's private keys) does in general not reduce the sh-AAGP to a simultaneous 
subgroup CSP, as for the classical AAGP. 

Remark. Note that we actually do not need a bi-LD-system, like (Boo, *,*), 
in order to build a AAG shifted commutator KEP. Indeed, two LD-operations, 
namely x*y = d(x~ 1 )a\d(y)x and its reverse x* lev y = xd(y)aid(x^ 1 ), suffice. 
Here (-Boo, *, * rcv ) is not a bi-LD-system. 

Alice and Bob choose a G (si, . . . , s m )* and b 6 (t\, . . . ,i n )* rov , and send 
{a -1 * lcv tj}j< n and {b^ 1 * Si}i< m , respectively. Then they may compute 

K A = a- 1 ^- 1 * a) = a- 1 d(b)axd(a)b- 1 = [a, b-% h = (a" 1 * rcv b)b^ = K B . 

Analogeously, one may build an AAG /-commutator KEP using *f and its 
reverse operation. 

Non-simultaneity. Analogeous to the remarks in sections 13.2.21 and 14.21 

an attacker might approach an m-sim shCP instance {(si,s£ = b * Sj)}j< m by 
considering the (™)-simCSP instance {(d(sY 1 sj), (s' i )~ 1 s'j) \ 1 < i ^ j < m} in 
order to solve for b. Indeed, here we have 

b-^srh^b = (6- 1 a( S4 -i) (Tl -ia(fe))(a(6- 1 )a 1 9( s ,)&) = (^r 1 *;. 

Therefore, either it is recommended that the set {s~ 1 Sj 1 < i ^ j < m} (and 
analogeously {t^ 1 tj 1 < i ^ j < n}) has large centralizer. This may be ensured 
by if the sets {s\, . . . , s m } and \t\, . . . , t n } itself have a large centralizer. 
Another strategy is to abandon simultaneity, i.e, to consider the critical case 
m = n = 1. Note that only for shifted conjugacy (and its generalizations) we 
have opportunity to abandon simultaneity because only here the submagmas 
(s)*, (s)* generated by one element are nontrivial. This is not the case for 
/-conjugacy or the LD-operation o from section 14. 1. 5 1 

Generalized shifted conjugacy. It is straightforward to construct non- 
associative KEP's using generalized shifted conjugacy operations. We leave this 
to the reader. 

5 Generalizations, further work and open prob- 
lems 

5.1 AAG-schemes over non-associative and non-commutative 
algebras 

It is possible to generalize the AAG-KEP for magmas from section 13. II in several 
ways. One generalization is very simple - just replace the magmas (M, »i, #2) 

and (N,o 1 ,o 2 ) by (M, {•i,»}»eJn {•2,1)16/2) and (N, {°i,i}ieh, {°2,i}ieh) for 
some index sets i.e. we introduce further binary operations. In particu- 

lar, in the special case given by M = N = Si = S2 and %% = 112 = idM, Alice 
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chooses her secret key a as an element from the submagma (s\, . . . , s m }| #1 t y iet . 
To describe an element of such a submagma it is not sufficient to know the pla- 
nar rooted binary tree T (providing the bracket structure) and the leaf elements 
ri, . . . , rfc £ {si, . . . , s m }, but we also need to assign binary operations (from 
the set {•i,i}ig/ 1 ) to the internal nodes of the tree T. 
For example, 

In the following we write T{ #1 i } ieIl , and we assume that T is then a planar 
rooted binary tree accompanied with such an assignment of its internal nodes. 
Here we have to modify condition (1) from section T3. II in the obvious way: 

(1') /3i(x, •) : (M, •2,j) — > (N, o 2 .i) is for all x £ Si, i £ 1% a magma homo- 
morphism, i.e. 

Vx S Si, y,y' £ M, i £ I 2 ■ Pi(x,y »2,i y') = Pi(x,y) o 2)i fii(x,y'). 

Also ^(x, •) : (M, *x,i) — > (A, °i,i) is for all x £ S2, i G /1 a magma morphism, 
i.e. 

Va: G S 2 , y,y' £ M, i£lf. f3 2 {x, y » M y') = f3 2 (x, y) o M f3 2 (x,y'). 

If /3i , /?2 are defined by a binary operation from a bi- or multi-LD-system, 
then condtion (1') is satisfied by construction. Now one may build KEP's with 
this obvious modification. One example is the AAG shifted commutator KEP 
for the bi-LD-system (-Boo, *, *)• Indeed, there Alice and Bob may have choosen 
their secret keys from (si, • • • , s m )*,* of (Bag,*,*) and (t%, ■ ■ ■ ,t„)*,*, respec- 
tively. 

Recall that bi- and multi-LD-systems fulfill more homomorphic properties (i.e. 
distributive laws) than is necessary to build a KEP. As an example, consider 
the group ring ZG. Recall that (G, */) is an LD-system for any / G End(G). 
By construction, (ZG, */,+) is a non-commutative and non-associative alge- 
bra. It is straightforward to build a non-associative KEP over ZG analogous to 
the non-associative AAG /-commutator KEP. The only modification is that 
we choose the secret keys a G (s\, s m ) and b G (tx, • ■ ■ , t n )*. + for 
Sii • • • , s m , tx, ■ ■ ■ ,t n G ZG. 

Analogously, it is straightforward to build a non-associative KEP over the non- 
associative bialgebra (ZBoo, *, 5, +). 

Furthermore, one could consider non-commutative (but associative) special cases 
of these KEP's over non-associative algebras, if one restricts the secret keys 
a, b (or more precisely the projectio 11 ni(a), Tr 2 (b)) to (si,---,s m ) + and b £ 
(tx, • ■ ■ , t n ) + , respectively. 

5.2 Open problems and further work 

• The AAG-KEP for magmas (see section l3Tj) describes a general framework 
for building non-associative key establishment protocols. Our main exam- 
ples are provided by LD-operations (/-conjugacy in groups and shifted 
conjugacy in braid groups). Recall also the systems based on (simulta- 
neous) symmetric DP employing the non-associative operation given by 
x • y = xy~ 1 x. 

Find other interesting instances of the general AAG-KEP for magmas (see 
section 13. ip . 
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Find other platform groups for the non-associative AAG /-commutator 
KEP (see section EM ■ 

In particular, solve the (simultaneous) /-conjugacy problem in pure braid 
groups for the endomorphism / described in section r4.2.1l 

How rigid are the solutions to the /-conjugacy problem in pure braid 
groups and the shifted conjugacy problem in braid groups? Note that, 
contrary to the /-conjugacy problem in pure braid groups, there exists a 
solution to the shifted conjugacy problem in braid groups [KLT09J. 

Investigate heuristic attacks, especially length-based attacks HT02t [GK+05| , 
on the submagma MSP for non-associative LD-operations * in braid groups. 
Of particular interest is here the non-simultaneous case m = 1 which 
emerges only for non-associative operations. I.e. consider the submagma 
MSP for the submagma (si)* generated by only one element. 

Recall the important special case of the AAG-KEP for magmas where 
S = M = N is an LD-system. Depending on the LD-operation *, we 
constructed for some instances non-associative KEP's by specifying the 
functions 7, (i = 1, 2). It would be nice to have non-associative KEP's for 
all LD-systems. 

Such non-associative KEP's for all LD-systems, bi-LD- and multi-LD- 
systems (in general: sets with distributive operations) have been con- 
structed - see our forthcoming paper [KaT12j. There we have to go even a 
step beyond the general AAG-KEP for magmas, and we introduce a small 
asymmetry in the non-associative AAG protocol. Indeed, we consider the 
systems and instances given in [KaT12 as more practical and interesting 
than the one given in this paper. Since the KEP's given in |KaT12] work 
for all multi-LD-systems, they deploy two further advantages. 

(1) We can consider encryption functions using iterated ^-multiplication 
from the left. In order to obtain the secret key an attacker has to solve 
then an iterated /- or shifted conjugacy problem. 

(2) For a given (partial) multi-LD-system (M, it turns out that 
even the used operations *j can be hidden, i.e., they are part of the secret 
key. 

Develop other primitives like signature and authentication schemes in non- 
associative cryptography. 

Here we concentrated on KEP's which are usually the hardest to construct. 
Note that, using hash functions, it is easy to build public key encryption 
schemes from KEP's. 

For infinite groups, like braid groups, there are limitations on the depths 
of the trees describing a submagma element . Consider for example /- 
conjugacy in an infinte group G where / <E End(G) satisfies |/(x)| < \x\ 
for all a; £ G. Denote by | • | = | • |x the word length over some given 
generating set X of G. We conclude that 

\x * f y\ < (/(or 1 )! + \f(y)\ + \x\ < 2\x\ + \y\ < 3max{|4 \y\}. 

Now, consider the following two extreme cases of trees with k leaves defin- 
ing the bracket structure of a magma element in (si, . . . , s m }* (* = */). 
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The left comb (rj £ {si}i< m for all j = 1, . . . k) 

LC(ri, ...,r k ):=ri* (r 2 * (r 3 * • • -r fc _ 2 * (rk-i * r k ) • ■ •)). 
and the rigW comb 

RC(rx, ...,r k ) := ((• • • (n. * r 2 ) * r 3 * • • • * r fc _ 2 ) * r fc _i) * r k . 
If I Si I < f° r all i = 1, . . . , m, then one may show by induction that 

\LC(n,...,r k )\ < (2fc-l)/ , \RC(n,...,r k )\ < (2 fe - l)Z . 

I.e. we can only prove an exponential (in k) upper bound on the word 
length of a magma element of tree depth k— 1. But for left combs we have 
a linear upper bound. In practice, one may consider as keys either only 
elements of small tree depth, or we choose such elements whose bracket 
structure defining trees have a small "distance" from a left comb. 
Define a proper notion of "distance" of planar rooted binary trees, and in- 
vestigate how the word length growth for trees with "small distance" from 
the left comb LC. Determine a method how such trees can be generated 
efficiently. 

• Recently B. Tsaban developed a deterministic polynomial time attack on 
the AAG commutator KEP in linear groups |Tsl2| which also applies to 
several other non-commutative schemes. In short, Tsaban's linear central- 
izer attack exploits the fact that in classical AAG-KEP the shared key is 
the commutator K = a~ 1 b~ 1 ab. So, if we find solutions (up to centralizer 
elements) inside the centralizer of the centralizer of, say Sa, then these 
centralizer elements cancel and we recover K, even if these solutions were 
only in the linear matrix group in which we embed our linear group. But 
for KEP's with shared key K — aibia r b r , or K being an /-commutator 
in groups or a shifted commutator in braid groups, these centralizer ele- 
ments would not cancel. Therefore, we conclude that, in its present state 
the linear centralizer attack does not apply to most of the non-associative 
schemes presented in this paper. 

Can the linear centralizer attack be improved to make it work against 
these KEP's? 

References 

[AAG99] Iris Anshel, Michael Anshel and Dorian Goldfeld, An algebraic method 
for public-key cryptography. Mathematical Research Letters 6 (1999), 1-5. 

[AAG03] Iris Anshel, Michael Anshel and Dorian Goldfeld: Non-abelian key 
agreement protocols, Discrete Applied Mathematics 130 (2003), 3-12. 

[Bo74] Nicholas Bourbaki, Elements of Mathematics: Algebra /, Hermann 
(1974). 

[CDW07] Zhenfu Cao, Xiaolei Dong and Licheng Wang, New Public Key Cryp- 
tosy stems Using Polynomials over Non-commutative Rings, (2007). 



29 



[CK+01] Jae Choon Cha, Ki Hyoung Ko, Sang Jin Lee, Jae Woo Han and 
Jung Hee Cheon, An efficient implementation of braid groups, Advances in 
Cryptology - ASIA-CRYPT 2001, LNCS 2248, Springer (2001). 

[DeOO] Patrick Dehornoy, Braids and Self-Distributivity, Progress in Math. 192 
Birkhauser (2000). 

[De06] Patrick Dehornoy, Using shifted conjugacy in braid-based cryptography. 
In: L. Gerritzen, D. Goldfeld, M. Kreuzer, G. Rosenberger and V. Shpilrain 
(Eds.), Algebraic Methods in Cryptography, Contemporary Mathematics 
418, AMS (2006), 65-73. 

[DK74] J. Denes and A. D. Keedwell, Latin Squares and their Applica- Hons, 
Academiai Kiado, Budapest, 1974. 

[DK91] J. Denes and A. D. Keedwell, Latin Squares. New Development in the 
Theory and Applications, Annals of Discrete Mathematics, volume 46, 
North-Holland, 1991. 

[DK92] J. Denes and A. D. Keedwell, A new authentication scheme based on 
latin squres, Discrete Math., 106/107 (1992), 157-165. 

[DK02] J. Denes and A. D. Keedwell, Some applications of non- associative 
algebraic systems in cryptology, P.U.M.A., 12 (2), (2002) 147-195. 

[DH76] Whitfield Diffie und Martin E. Hellman, New directions in cryptography, 
IEEE Transactions on Information Theory 22 (1976), 644-654. 

[E185] Taher ElGamal, A public key cryptosystem and a signature scheme 
based on discrete logarithms, IEEE Transactions on Information Theory 
31 (1985), 469-472. 

[Ge94] Lothar Gerritzen, Grundbegriffe der Algebra: eine Einfuhrung unter 
Beriicksichtigung funktorieller Aspekte, Vieweg (1994). 

[GK+05] David Garber, Shmuel Kaplan, Mina Teicher, Boaz Tsaban and Uzi 
Vishne, Probabilistic solutions of equations in the braid group, Advances in 
Applied Mathematics 35 (2005), 323-334. 

[GMK08] D. Gligoroski, S. Markovski, and S. J. Knapskog, Public key block 
cipher based on multivariate quadratic quasigroups, Cryptology ePrint 
Archive, Report 2008/320. 

[GS10] O. Grosek and M. Sys, Isotopy of latin squares in cryptography, Tatra 
Mt. Math. Publ., 45, (2010) 27-36. 

[HT02] J. Hughes and A. Tannenbaum, Length-based attacks for certain group 
based encryption rewriting systems, Workshop SECI02 SEcurite de la Com- 
munication sur Internet, Tunis (2002). 

[Ka07] Arkadius Kalka, Representations of braid groups and braid-based 
cryptography, PhD thesis, Ruhr-Universitat Bochum (2007). 
www-brs . ub . ruhr-uni -bochum. de/netahtml/HSS/Diss/KalkaArkadiusG/ 



30 



[KLT09] Arkadius Kalka, Eran Liberman, and Mina Teicher , A Note on the 
Shifted Conjugacy Problem in Braid Groups, Groups - Complexity - Cryp- 
tology 1 (2) (2009), 227-230. 

[KaT12] Arkadius Kalka, and Mina Teicher , Non-associative Key Establish- 
ment Protocols for all LD-systems, in preparation (2012). 

[KL+00] Ki Hyoung Ko, Sang Jin Lee, Jung Hee Cheon, Jae Woo Han, Ju- 
sung Kang and Choonsik Park, New Public-key Cryptosystem Using Braid 
Groups, Advances in cryptology - CRYPTO 2000, LNCS 1880, Springer 
(2000). 

[Ko87] Neal Koblitz, Elliptic curve crypto systems, Mathematics of Computation 
48 (1987), 203-209. 

[KM99] C. Koscielny and G. L. Mullen, A quasigroup -based public-key cryptosys- 
tem, Int. J. Appl. Math. Comp. Sci., Vol. 9, No. 4, pp. 955-963 (1999). 

[Mi85] V. Miller, Use of elliptic curves in cryptography, Advances in cryptology 
- CRYPTO '85, LNCS 218, Springer (1985), 417-426. 

[MZ12] Ehsan Malckian, Ali Zakerolhosseini, A non- associative lattice-based 
public key cryptosystem, Security and Communication Networks, Volume 
5, Issue 2, pages 145-163, February 2012. 

[PZ03] J. Proos and C. Zalka, Shor's discrete logarithm quantum algorithm for 
elliptic curves, Quantum Information and Computation 3 (2003), 317-344. 

[Ra79] M. O. Rabin, Digitized signatures and public-key functions as in- 
tractable as factorization, MIT Laboratory for Computer Science 
Technical Report, LCS/TR-212 (1979), Currently available from: 
www. lcs .mit . edu/publications/pubs/pdf /MIT-LCS-TR-212 .pdf 

[RSA78] Ron L. Rivest, Adi Shamir und Leonard Adleman, A method for ob- 
taining digital signatures and public key cryptosystems, Communications of 
the ACM 21 (1978), 120-126. 

[Se65] Jean-Pierre Serre, Lie algebras and Lie groups, Benjamin (1965). 

[Shc09] V.A. Shcherbacov, Quasigroups in cryptology, Computer Science Jour- 
nal of Moldova, vol. 17, no.2(50), 2009. 

[Shcl2] V.A. Shcherbacov, Quasigroup based crypto- algorithms, 
larXiv: 1110 .65911 /1. 2012. 

[Sh97] Peter Shor, Polynomial-time algorithms for prime factorization and dis- 
crete logarithms on a quantum computer, SIAM J. Comput. 5 (1997), 1484- 
1509. 

[SU06] Vladimir Shpilrain and Alexander Ushakov, The Conjugacy Search 
Problem in Public Key Cryptography: Unnecessary and Insufficient, Appli- 
cable Algebra in Engineering, Communication and Computing 17 (2006), 
285-289. 



31 



[SZ06] Vladimir Shpilrain and Gabriel Zapata, Combinatorial Group Theory 
and Public Key Cryptography, Applicable Algebra in Engineering, Com- 
munication and Computing 17 (2006), 291-302. 

[STR07] Eligijus Sakalauskas, Povilas Tvarijonas, and Andrius Raulynaitis, Key 
agreement protocol (KAP) using conjugacy and discrete logarithm problems 
in group representation level, Informatica 18 (2007), no. 1, 115-124. 

[Tsl2] Boaz Tsaban, Polynomial time Cryptanalysis of noncommutative- 
algebraic key exchange protocols, preprint: arxiv: 2012. 

[WM85] Neal R. Wagner und Marianne R. Magyarik, A public key cryptosystem 
based on the wordproblem, Advances in Cryptology, Proceedings of Crypto 
'84, LNCS 196, Springer- Verlag (1985), 19-36. 

E-mail address: arkadius.kalka@rub.de 

SCHOOL OF MATHEMATICS AND PHYSICS, UNIVERSITY OF QUEENS- 
LAND, BRISBANE, AUSTRALIA 



32 



